In this episode of Security & GRC Decoded, host Raj Krishnamurthy sits down with Tom Scuderi, Senior Manager of Security & GRC at LTK and a veteran practitioner who has spent his career building governance functions at QTS, Tableau, Salesforce, and LTK. Tom shares how to scale GRC in high-growth environments by designing processes that resemble engineering workflows, reducing friction with stakeholders, and shifting from reactive audits to continuous visibility. He breaks down why curated visibility beats blanket access, why SOC 2 should sharpen—not dilute—your security program, and how to anchor leadership decisions with meaningful risk data.
Key Takeaways
- GRC only scales when its processes mirror how engineering teams already work.
- SOC 2 should enhance your security program rather than becoming a superficial checkbox exercise.
- Curated visibility reduces friction and improves cross-functional trust.
- Clarity in ownership is the backbone of a scalable GRC function.
- Continuous, context-driven evidence cuts audit fatigue and sharpens the entire program.
What You’ll Learn
- How Tom built and matured GRC programs across four different companies.
- Why engineering alignment is essential for sustainable compliance.
- How curated visibility replaces access sprawl and accelerates audits.
- The difference between risk-driven and compliance-driven GRC.
- Why automation only works when underlying processes are mature.
- How to structure ownership to reduce bottlenecks during SOC 2 and similar frameworks.
This podcast is brought to you by ComplianceCow — the smarter way to manage compliance. Automate evidence collection, eliminate screenshots, and scale your program with confidence. Learn more: https://www.compliancecow.com
Watch more episodes: https://www.compliancecow.com/podcast
Connect With Our Guest:
Tom Scuderi | Senior Manager of Security & GRC | LTK
Connect on LinkedIn: https://www.linkedin.com/in/tom-scuderi/
Rate, review, and share if you enjoyed the show!
Subscribe to Security & GRC Decoded wherever you get your podcasts:
Spotify: https://open.spotify.com/show/5pigcMwOrYIA6d9OOOsxqr?si=416b82ab5c474683
Apple Podcasts: https://podcasts.apple.com/us/podcast/security-grc-decoded/id1795144450
Raj Krishnamurthy (00:00.981)
Hey, hey, hey, welcome to another episode of Security and GRC Decoded. I’m your favorite host, Raj Krishnamurthy. Today we have the pleasure of talking with Tom Scudori. Tom is a veteran GRC practitioner. He has been an advisor, auditor, built GRC functions for companies like QTS, Tableau, Salesforce, and LTK. Tom, welcome to the show.
Tom Scuderi (00:26.894)
Thanks Raj.
Raj Krishnamurthy (00:28.587)
Tom, I want to start with something. How did you get into GRC? What made you become a GRC professional?
Tom Scuderi (00:38.19)
Yeah, absolutely. So, started my career as an IT auditor, really being on kind of what I think is the other side of the coin when it comes to GRC, a lot of those external audits.
SOC audits, for example. So, starting my professional career in IT audit, doing a lot of those security audits from the external perspective. Decided that I wanted to see what life was like on the inside. So, ended up transitioning into internal roles, and that was me building compliance teams and really supporting those audits from the other side.
Raj Krishnamurthy (01:14.687)
Okay, and why particularly on IT advice, IT side of the audit? there any reason that you’re levitated towards that?
Tom Scuderi (01:24.66)
It’s, I guess, just personal interests of mine. I’ve got experience, just education, kind of more in the financial side, but as I grew professionally, I learned that this IT audit thing was something I was a little more interested in.
Raj Krishnamurthy (01:43.851)
Got it. So Tom, you said something the last time we spoke, and you said that you see GRC as a trust, company’s trust engine. Double click on that for us.
Tom Scuderi (01:54.614)
Yeah, yeah, I think a lot of people see GRC as just maybe a bunch of check boxes, a bunch of documentation, and maybe even at its worst someone standing over your shoulder telling you you did something wrong. And I don’t think that’s right. Over my years of experience in the field, I believe that GRC has just really one primary and more noble mission, and that’s to be
the company’s trust engine.
Raj Krishnamurthy (02:26.805)
I like the word noble mission. why do you think, I think there is, when we go talk to people in different functions, right, security, engineering, GRC, there seem to be this inherent tension, if you will, between these different functions. Why do you think that is the case? And particularly with respect to GRC.
Tom Scuderi (02:28.749)
Thank
Tom Scuderi (02:48.748)
Yeah, I think that maybe the inherent tension that you experience between maybe some elements of security, security operations, product security, and GRC is also what I referred to earlier. We’re not really here to stand over your shoulder and tell you when you did something wrong, but I mean.
it kind of feels like you’re being audited by GRC and that doesn’t feel good. I think that probably some of that tension just happens because it feels like you’re always being watched by GRC. And really, we’re only watching from the perspective of wanting to be able to act as that trust engine. And what the trust engine wants to do is to be able to
Raj Krishnamurthy (03:24.405)
Yeah.
Tom Scuderi (03:40.642)
provide to build and maintain trust in that security team.
Raj Krishnamurthy (03:47.386)
And nobody likes to be watched, right? Very understandable. And I think you’ve cut to the core of it really quickly, fast. So Tom, what can we as GRC professional, you as GRC professional do to improve that relationship?
Tom Scuderi (04:04.525)
the relationship between GRC and other functions of security, right? Yeah, I think that…
Raj Krishnamurthy (04:07.978)
Exactly.
Tom Scuderi (04:14.349)
To the extent there is any any mystery behind what GRC is really trying to do I think trying to trying to Make the case like what we’re doing here for what GRC actually is doing and why they’re doing what they’re doing That might help relieve some of that tension Again, we’re not we’re not here. I I don’t want to really know
you know, every single thing that a person’s doing, how they executed a control, know, how they might have brought it back from the brink of failure to actually make it work. We’re not here to watch everything. We’re not here to monitor you that closely.
I think that if we’re able to more clearly articulate really what we’re trying to get out of GRC, what GRC’s purpose is, maybe that would alleviate some of the tension. Maybe that would help the relationship within a broader security function so GRC wasn’t viewed as the black sheep if that’s how it’s coming off.
Raj Krishnamurthy (05:18.379)
So let’s break down Tom, what is G, R and C? What do they mean to you?
Tom Scuderi (05:23.501)
Sure, So governance, risk management, and compliance management. The R is really just risk and the compliance is really just, the C is really just compliance. But I would put the word management behind probably each of those letters. So governance I think is kind of pervasive. It applies to what
what a company has to do for security really across the board. So I’m gonna focus a little bit more on risk management and compliance management. So the trust engine, GRC, has to deliver it’s what I call curated visibility to a few different audiences. And let me unpack what curated visibility is first. So we’ve got the concept of visibility. There is…
bunch of information a bunch of data that we generate in the world of security But but there are some realities about that data. It’s vast like there’s a ton of it a lot of it’s very technically complex Some of it is confidential. We don’t want to give out that information and then depending on who our stakeholders are They’re not going to take our word for it that we’re actually doing everything that we say we’re doing
without proving it somehow. So curated visibility is really about how do we deliver a message about our security posture and how do we deliver it without violating, how do we do it with working within the bounds of those realities that I discussed? How do we do it without violating like our confidentiality requirements? We obviously can’t give out all of our sensitive log data.
So in any case, we’ve got this curated visibility that we want to give out and we’ve got different audiences that we need to provide it to. Bring it back to your question about what is GR &C. So risk management is really what I see as how we communicate internally with our internal stakeholders. So leadership, the board, you know, they need to know about where our risk posture is, but we can’t…
Tom Scuderi (07:48.13)
back to those realities of security, we can’t give them all of our data, you know, it’s vast. We can’t expect them to understand everything about that data, even if we could give it to them. It’s technically complex. really, risk management is cutting down the noise that we generate in security and really distilling it and synthesizing it down to a single few messages that can be understood by the business.
So I think that’s risk management. Compliance management is the other side of the coin when it comes to providing curated visibility. It’s for primarily our external stakeholders, so our customers, our partners, regulators. And I think that the curated visibility that we can provide there also has to play by those same rules of what our security realities are. Vast.
complex and especially there’s some information that’s confidential. We can’t expose all of our data. So compliance management, what that’s about when it comes to providing that curated visibility, that would be something like providing, I don’t know, a standardized questionnaire response. We have that ability to curate what we actually say in those questionnaire responses.
And we can provide what we think will be sufficient for the stakeholder to get that assurance, to have that trust. And we can omit some of the more sensitive details. We’ve also got formal audits. Take a SOC 2, for example. SOC 2s provide curated visibility into the security posture of our company. It does a good job of, I guess,
taking all of those tests performed by the external auditors, which look at all of that data, that vast amount of technical data, and also removing all of the sensitive data to provide that singular message of the report opinion. Is it qualified? Is it unqualified? So that’s what GR and C are in the GRC realm, and that’s really what all of them are there for.
Tom Scuderi (10:12.129)
They’re a part of that trust engine and the trust engine functions by providing that curated visibility.
Raj Krishnamurthy (10:18.434)
Tom, I really, really love it. I think it’s a brilliant way to sort of articulate this, and I think you’ve done a, I love it. But one question I want to ask you is that I want to maybe, let me ask you a very tangible question, right? So if you, let’s take there is a control where we say that all users should have multi-factor authentication, right? I mean, it may be phrased differently in terms of a control narrative, but we all can sort of rally around this MFA, right? It’s a very ubiquitous control.
The question is that in most cases, we go to the control, and the control is either yes, you’re compliant, or no, you’re not compliant. And what you’re basically saying is that obviously you’re collecting all of the data on all your users to evaluate whether that statement is true or not. What I see in many cases is that there is a sampling that is done through audit, and there is not a whole lot of data to back up the decision that you arrived at for a particular control.
Is that a common scenario? My point is that when you get to a curated visibility, is there a risk that we sometimes ignore the data behind it and we just stick to the summary status because that’s all we are expected to provide?
Tom Scuderi (11:32.85)
possibly. You know, I think that gets into how much do you, how much does the industry have trust in the external auditors? Because really we have to be able to put trust in that, that proxy that sits in between the security team and the external stakeholders, which is that auditor. so, so yes, we do have to place trust somewhere in, we are placing it in that external auditor.
we’re trusting that the external auditor is doing a sufficient amount of diligence to be able to come to that conclusion. So, I can’t say there’s not risk there, but I think that that’s the way our industry has chosen to evolve, to have that trusted proxy that is the third party auditor. I think that yes, there are ways that you could get potentially more comfort, you know, if you were able to audit directly.
I can’t go to some of my largest vendors and say, give me all your logs. Like they’re not going to do that. And a lot of companies wouldn’t have the expertise to even understand what those logs were if I could get a vendor to give me that. So I think that the use of an external auditor and their ability to provide a more summarized and more synthesized answer on whether the company is secure or not is the
the best option that our industry has come up with so far.
Raj Krishnamurthy (13:06.454)
No, I think that makes sense. I think my question is also that even for, like you talked about risk management as an internal function, right, where you’re evaluating the risks internally, unlike compliance. In that case, what is the role of the GRC team vis-a-vis the data collection? Are you responsible for collecting all the data? How do you think about this? Or do you want to do just sampling? Or do you rely on your security and engineering teams to…
and truly trust them in terms of when they say that, yes, we are compliant, how would you go about thinking about where and what level of trust do you place inside the company?
Tom Scuderi (13:45.742)
Sure, yeah, and I mean in this case, when we’re talking about internally, yes, on the external side, we’re placing trust in that external auditor, right, to provide some sort of a synthesized answer on whether things are secure or not. To an extent, on the internal side, we’re doing that with the GRC team and also other internal stakeholders. I don’t think that’s unreasonable.
because I mean, we’ve got a whole suite of other controls that operate to make sure we’re hiring the right people. Are we hiring trustworthy people? Hopefully those controls are operating and the people that are in that GRC function, your security function, you believe can be trusted. Now, your question about whether we need to do more than just sampling. I think that that’s probably a…
That’s probably dependent on what we’re talking about. Higher risk systems, higher risk situations probably demand a higher level of scrutiny. A lower risk system, maybe a lower amount of sampling is sufficient.
Raj Krishnamurthy (15:02.22)
Makes sense, makes sense. So when I am building a system such as autonomous car, very different risk profile than trying to run a website that is doing retail. So I totally, totally agree. I think when you had actually put this in somewhere in your notes about the way you see GRC role is that of a trusted attending physician. Can you explain to our audience what that means?
Tom Scuderi (15:25.355)
Yeah. Sure. So the analogy here is, you know, think of a hospital and in the hospital we’ve got all of these specialists that are monitoring, you know, results out of an EKG machine, running labs and getting those very technical results. That’s our security team. And the amount of data they collect is vast and very technical. And then you’ve got…
In the case of external stakeholders, let’s say a customer, that’s the patient’s family. So the patient’s family wants to know about the health of the patient. They want to know, you know, is the patient okay? And we’ve got all of this data that’s coming out of the EKGs and the labs, and it’s a vast amount of data. It is very technically complex. We’ll say in this case, the patient’s family.
They’re not doctors. They’re not going to be able to interpret all of that data themselves. So enter GRC as the trusted physician in this case. The trusted physician does have the ability to interact with those specialists, collect that data, this vast amount of data, and synthesize it down to
something that is understandable to individuals not in the medical field or in our case not in the security field. So, know, trusted physician is able to come in, tell the patient’s family, yes, the patient’s okay, here’s the diagnosis, here are the next steps.
Raj Krishnamurthy (17:04.478)
I think that’s a beautiful example of, I think you’re tying curated visibility, I think you’re sort of double clicking on that and I think this is an excellent analogy. And this may sound controversial and maybe even downright offensive, Tom, so I’m sorry if that comes out to be the case. In the world of generative AI and large language models where we can feed data and does a phenomenally great job of summarizing, is there a need for a GRC team? Based on what you just talked about, curated visibility.
Tom Scuderi (17:28.941)
Mm.
Tom Scuderi (17:34.658)
I think the answer here is maybe not terribly different than, I think you could ask this question for lot of professions. And I think that AI and its capabilities really enable the GRC function to be more efficient, to move faster. I don’t think it fully replaces them. I think that…
I think that the GRC professionals who can make effective use of AI are the ones that are going to be the most effective though.
Raj Krishnamurthy (18:11.766)
Love it, love it, love it. And so I want to be taking a step back. You’ve been in compliance for quite a long time. Why are these compliance standards, and I’m talking about cybersecurity standards, right? Why are they so vague?
Tom Scuderi (18:26.477)
Yeah, yeah, so like I brought up earlier, the SOC 2. So a SOC 2 is a compliance standard and we use it to provide that curated visibility. So it’s a tool for GRC to communicate often with our external stakeholders. So…
The way I think about a compliance standard, the ideal world is you’ve got a lot of very smart security professionals that come together and say, here are the X number of things that you need to do to have a really tight and strong security posture. So we’ve got that. But then, other parties or maybe the security professionals themselves look at it and say,
We came up with this and this is a really solid list, but it’s gonna be really hard to apply these things that we’ve identified really broadly. And we want this standard that we’re coming up with to be broadly applicable. So it’s gonna go through a refinement process and that refinement process is really going to take those very specific security recommendations.
and try to refine them into more of a one size fits all model. And so they become vague. And they become vague, you know, it’s not a flaw. I’d say it’s more like a side effect of being able to make them more broadly applicable. So that’s how I think standards become vague. And then to make a plug for the GRC team, we’ve got…
these professionals who understand, at a certain level at least, what was the original intent of those security professionals. They understand the technical reasons that these controls existed. And they also understand what was the nuanced intent here when they started going through this refinement process. You’ve got a control that maybe says, you need to review access periodically. Reviewing access, yeah, that makes perfect sense. Periodically,
Tom Scuderi (20:42.847)
What the heck does that mean? That’s the vagueness that gets introduced to these standards. But because GRC has that understanding, they’re able to say, well, I understand reviewing access is really important. And they also understand that this is all coming back to what is the risk related to how we’re applying that requirement. So if I’m applying that requirement to review access to
a mission critical system, I need to review it pretty frequently, quarterly, monthly. If it’s a low risk tool, maybe it’s annual.
Raj Krishnamurthy (21:17.282)
Mm.
Raj Krishnamurthy (21:22.646)
No, makes sense. Makes sense. And I think I hear what you’re saying. So you’re saying the vagueness is a feature, not a bug. That’s what you’re saying. But I think going back to the access example that you gave, I think there are two parts to that. One is review user access and then periodically. And like rightly said, I think the periodicity is determined based on what is the risk profile of the asset. But the question I want to also ask you is that review user access, does that just
Are you going to restrict that to your identity gateway systems like Okta, Azure AD, or now it’s called Antra? Or do you go beyond? Do you look into the, even though if it’s authenticated, you still look at authorization on each of these individual systems. How do you make this determination of the scope of the assets and what you’re trying to do?
Tom Scuderi (22:13.485)
Sure. I think there are probably a few different ways to answer that. Let’s just take it from the angle of, you know, do we look at these perimeter systems or are we looking at some of the individual systems that are within the perimeter? I think yes, you need to look at those. Sure, you might be able to say that we terminated a user on X date and we took out their perimeter access that blocked the front door.
And okay, I understand that argument, but how about when, you know, somebody changed a role within the company? You’ve got potential insider threats to think about, so just looking at access from the perspective of the front door, from the octas or whatever the world, that’s not going to be sufficient to protect you from insider threats.
Raj Krishnamurthy (23:07.628)
Beautifully said. So Tom, if I sequence this conversation, you’re sitting in GRC and you’re actually acting as the sandwich. You’re looking at a lot of these things, both from a security and an engineering perspective and also from an audit and a compliance perspective, meaning internal stakeholders, like you talked about in this, and external stakeholders that you talked about in compliance, whether it is market regulators, whoever they are. How do you have this conversation where, for example, this example that you talked about?
about an insider threat versus looking at the perimeter, right? What are you trying to have as a conversation with the auditor and what are you trying to have as a conversation with the security teams in terms of agreeing on what the scope should be as a GRC professional?
Tom Scuderi (23:59.31)
So on the internal teams, and really it’s not going to be terribly different in the discussion with the auditors. I just need to understand, I think, where the risk actually is. If there truly is no risk in doing something or not doing something, then perhaps it’s not necessary to do. And a lot of the more recently
refined compliance standards, they allow for being able to make this argument about whether there truly is a risk that is being addressed by this requirement or whether this requirement isn’t really that applicable because you don’t have a risk. So I think that to have the conversation internally and with auditors,
You really just need to understand whether it’s truly addressing a risk.
Raj Krishnamurthy (25:00.448)
Okay, and I want to go back to your curated visibility. So in order to ask a GRC professional to provide a curated visibility, there are two sides to this, right? There is details and there is summary, depending on who the audience is. And the GRC team essentially is acting as a pipe that takes all the details, processes them, and provides a summary. To what extent should the GRC team be technical? How technical should they be?
Tom Scuderi (25:25.613)
Good question. So I don’t know if there is only one right answer. I can say that the one thing that GRC absolutely needs to do as a part of being that trust engine is being able to help generate that trust. Now, I think that how far into the technical weeds and how far into it
Do the GRC professionals need to go with respect to whether they’re the ones actually pulling evidence or whether they’re relying on, you know, an engineer to pull the evidence for them? I don’t know if I have a strong position on that. I think it could be either. I think a GRC individual that is more technical does have the capability probably to do more of that work. But that’s not really the secret sauce of GRC, I think.
I think that’s what we really need out of GRC is to be able to present that, to build that trust by presenting that curated visibility. How you get to the curated visibility, I think you’ll probably make more friends in engineering if you can do more of that work. But I don’t know if the benefit of having a GRC function,
Raj Krishnamurthy (26:40.556)
Hahaha
Tom Scuderi (26:52.873)
is necessarily impacted really strongly by whether your GRC team is super technical or
Raj Krishnamurthy (27:00.652)
Got it. But I think the question, then I will ask you slightly differently. And you actually, we spoke about the cadence mismatch last time, right? On one hand, almost all of us are software shops. Now we are all AI shops, right? And we are, I mean, the explosion of code is going through the roof. And you’re releasing hundreds and thousands of, making hundreds and thousands of releases, right, on the DevOps side. Whereas your audits are extremely less frequent, right?
And we don’t need to be sort of scientists to know that there is an inherent cadence mismatch here. What is your view as a GRC professional of this cadence mismatch between what the platform engineering, SRE, and the DevOps teams are doing and what the auditors are seeking?
Tom Scuderi (27:47.501)
Sure, okay.
Yes, I think we’re out of sync. So we’ve got an audit which is inherently like a heavyweight and lengthy process, and then we’ve got security, which is changing on a dime, changing very rapidly. So obviously those two things are not operating at the same frequency.
You know, the good thing about that SOC 2 audit, to continue with SOC 2, is it’s going to provide a good amount of assurance to the external parties that need to be able to trust a company. And it’s going to provide it in a way that’s pretty easily understandable. But the bad news is, is that SOC 2, you know,
by design is a look back on it. It’s going to look back at how secure you were months ago and it’s not really going to tell you how secure you are as of the date it’s even issued. It’s already old news at that point.
So yeah, there’s a cadence mismatch for sure. And really the way that a SOC 2 audit works, the way all of our audits work.
Tom Scuderi (29:11.865)
It’s not a matter of necessarily just doing more audits and doing them faster. We’ve always got by design the nature of the fact that these are look-back audits. They’re always going to be looking back into the past. They’re not going to give you anything about what the present-day security posture is. best you can hope for is that if they were operating securely in the past, that’s a good indication that they’ll be operating securely in the future.
Raj Krishnamurthy (29:36.864)
And when you make the claim that GRC is the trust engine, isn’t trust continuous?
Tom Scuderi (29:45.237)
I think it should be. I think that maybe our mechanisms for building trust are, don’t have a, they haven’t evolved to the point that we can give a, I don’t think we have a great way to provide that curated visibility on a real time basis.
Raj Krishnamurthy (30:08.566)
And so that’s an important point, Tom. What stops it from getting continuous feed of data and providing continuous curated visibility? Why should we settle for less frequent visibility? And like you said, look back audits.
Tom Scuderi (30:29.889)
Yeah, well I don’t know that we should settle for it. That’s, I’d say, more just an artifact of how this industry has evolved and where we’re at currently. You know, let’s go back to our realities of security that I mentioned earlier.
It’s vast, we create a lot of data, technically complex, not everyone’s gonna be able to understand it, and some of it has to be kept confidential. We don’t want to make ourselves vulnerable by accidentally exposing too much information. So I think there is…
there’s probably a challenge in being able to provide near real time because a lot of what happens in a SOC 2 audit, again, that auditor, that audit is working as a proxy. It’s helping us synthesize a lot of data, a lot of complex data that not everyone’s gonna understand. And also, they’re going to look at information that’s confidential that frankly we can’t expose at a real time. So…
I imagine there are ways to do it that at least check some of those boxes that, for example, helps us synthesize large amounts of data that’s complex. Maybe there’s even ways that we could figure out how to have some sort of a trusted intermediary or proxy that helps us synthesize confidential data in a way that I can trust as a customer.
down to a signal saying, yes, this is a secure way of doing it. The SOC 2 audit and other audits just happen to be where we’re at right now.
Raj Krishnamurthy (32:17.442)
Got it, got it. When I talk to customers, I typically say, you you can look at GRC from two perspectives, one from the perspective of audit, the other from the perspective of assurance. Sometimes, now that I’m hearing you, right, I almost feel like that’s a very false narrative, wrong narrative, right? As if these are two exclusive things and they’re not, right? I mean, I think the idea is to be able to provide what you’re saying, like the curated visibility to build the trust.
And we’ll have to collectively figure out how to get there and not just get logged into these words of audits and assurance. Is that a reasonable thing to say?
Tom Scuderi (32:50.71)
I think so.
Raj Krishnamurthy (32:52.158)
And in your notes, you said something very, very interesting, and I want our listeners to hear this. And you said there is a car inspection analogy. Can you explain to us, please?
Tom Scuderi (33:00.906)
Yeah, sure. That analogy, it ties back to the nature of an audit being a look back audit. So I can take my car to the mechanic and let’s say I took the car to the mechanic in January. And fast forward eight months from now, you know, the car inspection from the mechanic is the equivalent to our SOC 2 audit, SOC 2 audit. I’m not going to read that SOC 2 audit until months and months from now.
And so yeah, the mechanic said that my brakes work just fine eight months ago. That doesn’t tell me anything about whether my brakes are going to work on the drive in to work this morning.
Raj Krishnamurthy (33:35.728)
Ha ha ha ha ha.
Raj Krishnamurthy (33:40.598)
Yeah, you’re hoping. But I think typically, past is always irrespective of what we want it to be. Past has always been a predictor of future. In fact, that’s how our locking mechanisms work in databases. That’s how our large language model, the next word predictor works. All of these are based on past heuristics and past data. Are they not?
Tom Scuderi (33:42.252)
you
Tom Scuderi (34:05.974)
Yeah, think that’s a good common thread that we’ve seen past performance being the best indicator of future performance.
Raj Krishnamurthy (34:16.492)
Totally. Now, the other side of the question I want to ask you is that I see GRC, and I think you made a, I go back to this beautiful sort of idea that you talked about as the curated visibility, because what basically you’re saying is GRC is actually separating in some ways, consuming a lot of data, separating the signals from the noise and presenting a summary level data for some people to act on, right? I mean, that’s the other interpretation of how I take it.
And if GRC can do that, you’re actually, GRC as a function is generating a whole lot of very interesting signals within the company. And security is all about consuming signals, whether these are external threat signals, nation state actors, so on and so forth. Why are we not? But I’ve rarely come across a situation where the security apparatus consumes the data that is generated by GRC in real time protection.
Meaning, why is the GRC data not flowing back or not looping back into security? Or am I wrong in saying that?
Tom Scuderi (35:21.984)
Yeah, I think I understand where you’re going with that.
Tom Scuderi (35:28.748)
I guess let me answer it from kind of the two-party perspective. So like a vendor and a customer. Right now we have a bunch of SOC 2 audits that get issued. But let’s say in a future world we figure out how to generate more real-time signals of our security posture. Great. So the vendor has got it figured out. They know how to…
how to provide that curated visibility in real time or near real time. That’s good. But put ourselves in the shoes of the customer for a second. That customer might have dozens, maybe hundreds of vendors, just like me. We’re all doing a perfect job of providing that curated visibility. That’s still a lot of information when you look at hundreds of vendors.
You need to have a function to be able to receive all of that. All of those signals, all that really high quality information that’s coming from my vendors, it’s only beneficial if there’s someone actually there to receive it. And more than that, someone has to be there to receive it and actually take an action on it. So it’s like…
Yeah, okay. I’ve got 99 of my 100 vendors that look good. They passed their audits or all of their signals are looking positive. But then I’ve got one, this really critical vendor that, they failed an audit or they’ve got some signal that looks bad as far as their security posture. What now? Like, I’ve got to be able to do something with that. Does that mean that…
you know, it’s a breach contract and I need to engage my legal team. Does it mean that I need to go look for a new vendor very quickly? Because this is a critical service. I rely on this. So so none of those are lightweight. So so really, when you were asking about taking the signal out of out of GRC, that that curated visibility and looping it back in the
Tom Scuderi (37:53.345)
Vendor-customer relationship, you know, it’s hard to loop back, I think. You need to have someone there to actually receive it and take action on it. I don’t know that’s something that I could say exists really robustly across industries.
Raj Krishnamurthy (38:13.068)
No, I think that’s a great point. think this is what I’m looking at your notes and this is what you’re talking about as the assurance deludes, is it not? I think that’s a great way to put it. But is the prob, I think if I split what you’re saying into two parts, one is generating signals and consuming signals and maybe there is a third acting on what you have consumed, right? And is people the problem here? So if you replace the people part of
Tom Scuderi (38:20.426)
Yeah. Yep.
Raj Krishnamurthy (38:41.43)
what you’re receiving and what you’re acting on with software that can be infinitely scalable. I’m just maybe dreaming, right? But is that the problem here is people is what is slowing down the consumption and the response?
Tom Scuderi (38:54.304)
You know, maybe, but also do we have a lot of soft… So first off, we probably don’t have within our industry a super standardized way outside of maybe like these big SOC 2 reports.
to deliver this curated visibility from the vendor side. Do we have on the customer side a way to ingest that in a really standardized way and then take consistent action on it? Maybe we’ve got some things that give me some clever dashboards and I can say I’ve uploaded my 100 vendors SOC 2 reports and I see green across the dashboard. Good. I think it’s always going to be a little bit of a people issue when we identify
something that fits into that third bucket of I need to take action because my critical vendor just had a huge, you know, security issue.
Raj Krishnamurthy (39:47.052)
Got it, got it. Thomas, you work and you work with leading tech companies, right? What is the effect of compliance style on engineering and security? What is your sort of take?
Tom Scuderi (40:05.484)
Yeah, I think What I said earlier kind of an offhand comment when you were asking how technical GRC needs to be And I said that you’d probably have more friends in engineering if you were more technical And I think that’s that’s kind of getting at what you’re asking There is there is
at least perceived if not real toil that gets involved or that is involved when we’re talking about something like a SOC 2 audit. If you’ve never been through a SOC 2 audit, what it usually looks like is you’ve got an auditor that comes in, gives you a request list that’s got dozens of things on it, and then you see that as a GRC professional. And if you’re not technical, if you don’t have the ability to access those systems yourself, what you’re going to do is you’re going to say, engineer A needs to
request number one. Engineer B needs to go get request number two and they’re pulling a lot of you know log data, they’re pulling screenshots. Not something I’ve seen most people, let alone engineers, get real excited about. So I think that’s where TOIL is and I think that you know there are definitely software solutions that can help alleviate at least some of that TOIL.
Raj Krishnamurthy (41:14.06)
Okay.
Raj Krishnamurthy (41:25.194)
And how maybe can you describe for our audience, did you mean by that? Some, the software solution that can help alleviate, what does that look like?
Tom Scuderi (41:33.623)
Sure, well you could give your SOC 2 professionals that are actually receiving that request list all the access to be able to pull all of that information themselves assuming they’ve got the sufficient level of technical expertise. You could also set up compliance automation systems that, you
as you’re well aware, have the capabilities to interact with systems and pull some of that data in a more automated fashion.
Raj Krishnamurthy (42:05.91)
Makes sense, makes sense.
Raj Krishnamurthy (42:12.374)
when
Raj Krishnamurthy (42:17.6)
What can GRC professionals do?
to alleviate some of the style, is there something that you can do to work with the other teams, especially engineering security teams, of time? Are there things that you can do that can significantly reduce this?
Tom Scuderi (42:38.476)
What you can do ahead of time, assuming a state where you’re still going to have to tell your engineers that they’re going to have to help pull some of this data for you, giving them a heads up so they can build it into their sprints.
probably would be appreciated. So, you know, that’s a good thing to do. And what else you can do ahead of time, you know, depending on how far ahead of time you have this information is there are, like we talked about, to give.
your GRC team the access it would need, know, auditor access to system ABC, the ability to pull some of that information themselves and educate them on how to pull that information themselves. And then, you know, I think that the most ideal state is probably having that automation in place that would be able to say this is a request list, it’s able to ingest the request list, it’s able to interpret that this request that came from the auditor means that I need to
pull this, it pulls that information and then it can be provided to the auditor.
Raj Krishnamurthy (43:45.058)
Do auditors still ask you for screenshots?
Tom Scuderi (43:50.092)
Of course, auditors love screenshots.
Raj Krishnamurthy (43:52.734)
And how do you justify, especially when you move and you want to move at a faster clip, right, where you’re integrating the APIs, you’re integrating with other protocols, right, open protocols, how do you bring the auditors along with you in this conversation as a GRC professional?
Tom Scuderi (44:10.028)
Sure. Yeah. Well, there are.
Tom Scuderi (44:19.348)
Actually, I might ask you, give me a little bit more as far as what you’re asking.
Raj Krishnamurthy (44:24.77)
So basically today the way that I interpret this is that the auditor is asking you questions, you provide them some response, and they’re basically trying to do some sampling because that’s pretty much what they can do, right? And let’s say that you have 100 users and they ask you for, 100 terminated users, they ask you for a screenshot or some sort of a ticketing, from a ticketing system or whatever that means is, right, that you have terminated those five samples that they’ve asked you for. However,
if you’re on a continuous assurance basis, you have pulled up all the 100 users. You are periodically evaluating them. Maybe you’re evaluating them on a weekly basis, right? And you’re aggregating them. And when you go back to the auditor and say that I am actually constantly evaluating this from a continuous controls monitoring perspective, do they, I’m sure there is some level of skepticism there. So how do you bring them along with saying that, you know, this is better than a screenshot and we have controls in place that we evaluate on a continuous basis?
Tom Scuderi (45:20.662)
Yep, I think I understand where you come from. So, I mean, an auditor’s test procedures, they are the ones that define how they’re going to get comfortable whether a control or requirement is passing or not. And I think that they’ll probably come into an audit just saying copy paste the test procedure that we used at the last customer to test periodic access terminations, whatever.
I think that GRC is positioned well to have the conversation, to understand what are the things that we’re doing internally to get that assurance and how can you plug into that with your test procedures to also get that assurance, to be able to say this control is operating effectively.
Raj Krishnamurthy (46:09.654)
Makes sense. And maybe it’s a dumb question, please bear with me. So GRC is acting as a filter. The auditor comes to the GRC team. The GRC team either finds this information or goes to people to find this information, presents it back to the auditor. Why can’t the auditor directly go to the control owners if there is a way that they can both communicate the same language?
Tom Scuderi (46:33.356)
Well, I do think that the additional piece that you added on to the end, if they can communicate in the same language, is sometimes the rub. I do think that sometimes, you you’ve got people in GRC that…
Raj Krishnamurthy (46:44.62)
Come back to the same language.
Tom Scuderi (46:54.452)
either have been auditors, have worked with auditors in the past, and again, if you’re in GRC, you also have an understanding of the internal workings of the company. So I do think that GRC sometimes provides that translation layer.
Is it possible to have an auditor go directly to an engineer? Yes, think that there’s nothing saying that can’t happen. Not all companies have really like dedicated GRC teams. And in some cases, it will be the auditor going directly to a control owner, to an engineer. But I think that where it becomes, where the standard especially is more vague, that GRC professional is more helpful in providing.
some of those translation services.
Raj Krishnamurthy (47:47.554)
Beautiful. I see. Got it. In your experience, do you distinguish between back office security and compliance versus product security and compliance?
Tom Scuderi (48:02.496)
backoffice, can you give me an example of what backoffice is?
Raj Krishnamurthy (48:05.174)
Your security with respect to all the back end systems, your active directory, all the things that you’re doing, your employees are doing, your systems that are up and running, versus something that is inbuilt in the product, where you’re basically demonstrating compliance for a health care product or a retail product or a financial services product or whatever.
Tom Scuderi (48:28.3)
I think that we start talking about, we start having a discussion about scoping when we talk about this and your audiences. So going back to compliance management, a lot of the focus is on our external audience, our customers and other stakeholders.
I think that the customer is going to be most interested in the systems that underpin the services they consume from my company. So I think that when we’re talking about lot of like SOC 2 audits, for example, we’re going to be more interested in those. when we’re having the conversation with auditors, that’s conversation we’re going to have. It’s going to be scoped around some of those very customer facing systems.
But look at the other side of the coin, risk management.
it’s going to be important to anyone’s leadership that their internal or back office systems, HRIS, things that don’t get pulled into a SOC 2 audit typically, they wanna make sure they’ve got a strong security posture there too. I mean, maybe the way that you’re generating that curated visibility through compliance management, it ends up being a little bit different for the external parties, that audience.
but you still need to think about both. Your internal audience is going to definitely care about both.
Raj Krishnamurthy (50:09.986)
Okay, I think you talked about GRC being a trust engine and one of the challenges is that trust is a very nebulous term. There are very many nebulous terms. Trust is one of those. Is there a need to quantify trust? I mean, let’s say metrics. How should we think about it?
Tom Scuderi (50:30.282)
Yeah, well let’s talk about trust for a second. So we know that trust is important but nebulous. What is the standard of trust? What is enough trust? I’m talking about…
I’m talking about like my external parties, customers, other stakeholders that are external. Enough trust is probably what’s enough to get them to buy the product. No one’s going to buy a product they don’t trust. No one’s going to sign a deal if they don’t trust your company. So really that standard of trust, I think is defined that way. And then quantifying it. I don’t know. I don’t know if…
Outside of the fact that we know what enough trust is and that’s enough to be able to close the deal I don’t know if like a scale of one to a hundred I don’t I don’t know if that conversation is one that we necessarily need to dig into a lot Because we either close the deal or we don’t ends up kind of becoming black and white what is what is good enough to set us apart from? Our competitors and actually win win that customer
Raj Krishnamurthy (51:48.416)
Okay, now I think I asked that question as a contrast to this idea of zero trust, right? And it has become sort of a security and a networking phenomenon, right? Where you actually don’t trust any of these, even internal systems. And the idea is that each of them will have to demonstrate that they are trustworthy, right? So there is a publisher and there is a consumer, right? So there is some sort of a contract and it is a very contextual contract. And that’s…
where I was trying to expand on this idea that as a GRC professional, when you think about trust, are there metrics that you will need to come up with that can give you a collection of them at least, that can give you better confidence about whether you can trust a particular asset, whether you can trust a particular service, whether you can trust a particular outcome, whatever that is.
Tom Scuderi (52:44.042)
It’s a good question. I don’t know if I’ve got a really strong answer from like a GRC perspective.
Raj Krishnamurthy (52:52.426)
No, problem, Tom. Tom, I think this has been a fantastic conversation. We are approaching almost the end of the segment. What do you characterize as the current state of GRC tooling?
Tom Scuderi (53:07.702)
Current state of GRC tooling probably is a lot like the current state of just how we are doing as far as being able to run the trust engine and provide that curated visibility. I think that a lot of it still is not in sync with that cadence of security. I think that we’re able to…
consume a lot of data. I think we’re able to figure out some very complex things, but I don’t think any of our tooling really has gotten to the point that we’re able to provide that curated visibility around our security posture.
Raj Krishnamurthy (53:52.642)
Got it, got it. No, that’s a great point. And for a person who is listening to this podcast, especially somebody fresh from college, right, what would your advice be on how they can join this GRC bandwagon, right? What are the key things that they should go read up, listen to, right, or get prepared with to take the route that you have taken, Tom?
Tom Scuderi (54:23.562)
I think that it’s important to have a really solid foundational understanding of how do we build trust around security. So we’ve got very technical people that are going to be doing very technical security things. And it is not a bad thing for you to be more technical yourself.
what you absolutely need to be able to do and have an understanding about is how do we build that trust in security? How do we present that curated visibility internally within our own organization, externally within our customers and other stakeholders? So I think that not taking your eye off of that secret sauce from GRC.
of being able to provide the curated visibility to be able to run that trust engine. That’s really what I would tell people that are looking to break into it.
Raj Krishnamurthy (55:28.626)
I love it. I love it, Tom. this has been, loved this conversation. This has been a fantastic conversation, Tom. Thanks for joining us today.
Tom Scuderi (55:36.288)
Thank you, Rosh.
Listen on your favorite platform and stay updated with the latest insights, stories, and interviews.
Want to see how we can help your team or project?
Book a Demo
